Of course, the solution above is dependent on browser settings: At least a popup (or the yellow bar on top) should display warning the user the webpage wants to execute an ActiveX; and I believe also this should be marked as Unsafe - no matter what, you let your internal user know what is going on and why there is such thing and you block the content if you don't get the MACAddress you want.